I’m running openHUB (openHABian) on an Intel NUC. I’d like to harden Ubuntu as much as necessary, as little as possible. To be honest I don’t want to create a “Fort Knox” but a minimum level of security.
Let’s summarize here some some steps for hardening Ubuntu (or Linux in general).
Use strong non-default passwords
Change user password (e.g. for user openhabian):
passwd
Change root password
sudo passwd
By default root does not have a password and the root account is locked until you give it a password. So there’s no need to change root password.
change samba password for openhabian
sudo smbpasswd openhabian
Password for Karaf remote console (e.g. “openhab:habopen”):
The password is stored in the file users.properties, located in the etc directory:
→ http://docs.openhab.org/administration/console.html#changing-the-password
This password can also be easily changed via the openHABian menu
sudo openhabian-config
→ 30 System Settings → 34 change passwords
Disk encryption
This option can easily be acivated (encrypted LVM) but is not recommended for a dedicated openHUB server:
- normally there’s no sensitive data on a dedicated home automation server
- manual steps are needed for booting/rebooting
Security updates
Every server needs software packages to fulfill its destiny during the lifetime of the system. Ensure that it gets regularly patched and updated.
In general there are two strategies:
- Do it manually to have full control: Make a habit of checking for updates on a regular basis
- Activate automatic updates. You lose somewhat control of your system but this guarantees an absolutely up-to-date system
Ubuntu Desktop
There’s a dedicated menu for updates:
→ Software & Updates
BTW: Does Ubuntu Desktop reboot automatically if needed? Where can Automatic-Reboot-Time be set (e.g. “02:00”)?
Ubuntu Server
Install package
sudo apt install unattended-upgrades
Edit the following file:
/etc/apt/apt.conf.d/50unattended-upgrades
Is there any suggested setting? In my opinion we should focus here on security updates only, right?
→ “${distro_id}:${distro_codename}-security”;
activate automatic reboots:
→ Unattended-Upgrade::Automatic-Reboot-Time “02:00”;
Firewall / IP address blocking
Fail2ban
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs – too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).
Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.
SSH keys
UFW - Uncomplicated FireWall
Easier administration of linux
Webmin
Webmin is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. Webmin removes the need to manually edit Unix configuration files like /etc/passwd, and lets you manage a system from the console or remotely. See the standard modules page for a list of all the functions built into Webmin.
Think big, start small
Other points?
Is there any other point to be watched?
Links
https://help.ubuntu.com/lts/serverguide/automatic-updates.html
Next steps
Please feel free to share your opinions and “best practices”. I’ll then update the above guide. Thnk you very much in advance.